Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 638 discussion

AWS Transfer Family (Option D) By configuring AWS Transfer Family SFTP endpoints, you can provide a secure and convenient way for employees to access and transfer data to and from the S3 bucket. Using custom identity provider options allows you to integrate with existing identity systems, and AWS Secrets Manager can be used to manage user credentials securely. A suggests using an AWS Lambda function to create an S3 presigned URL. While this can work, it involves manual generation of URLs and sharing them, which may not be as scalable or user-friendly. B suggests creating an IAM user for each employee with IAM policies for S3 access. This involves more operational overhead, as managing IAM users for each employee can be cumbersome and less scalable. C suggests using an S3 File Gateway. While this can work, it introduces additional components and may not be as straightforward or as efficient as using AWS Transfer Family for SFTP access.

Not A - S3 presigned URLs are temporary (max. 7 days); you'd need to create a new URL at least every 7 days and "instruct employees" to use it. Definitely NOT 'minimizing operational overhead'. Not B - "Instruct employees to use the AWS Management Console", using Management console to up- and download files is complex Not D - Secrets Manager is not for managing user credentials, and employees would not "use Transfer Family", they would use an (S)FTP client to access the files. C grants simple access for up/downloading, no operational overhead.

Sharing S3 access with one who has no amazon credential is to provide presigned URL. C is not right becasue S3 File Gateway is for on-premise access(corporate) to S3.

I will vote for C. For A, the S3 presigned URL is expired in 7 days, you need to implement a process to allow user send an access request, then validate the user, then trigger the lamdba to generate the resigned URL and send it back to the user. For D, using AWS secret manager to manage the user credentials does not sound practical unless it uses Active Directory.

S3 File Gateway is designed for hybrid cloud use cases where on-premises applications need to interact with S3. It introduces additional infrastructure complexity and costs, making it less suitable for the described requirements.

A - Definitely not ideal. Presigned URLs have a maximum expiration time of 7 days, which might be limiting for ongoing or long-term data sharing. If employees require frequent or dynamic access to multiple files (which is likely the case because this is a research-type company), they’d need a new URL each time. B - This is cumbersome and tiresome. C - This is better, but still not ideal for global employees unless the gateway is highly distributed. D - Secrets Manager stores sensitive information like passwords or API keys but is not a user directory, so they cannot "manage" credentials.

It is not operationally eficient to manage, for example, 1000 signed URLs or user credentials. In addition, it is sometimes dificult to instruct that many people. It's easier to create an S3 File Gateway and allow the users to mount it locally to access the bucket. It could be D if the answer said to use IAM roles instead of managing user credentials in Secrets Manager

but they didnt mention access in for daily use of occasional. If its occasional A works well but its permanant thing them mouting drive is solution.

i think is d

Less operational overheade is C https://docs.aws.amazon.com/filegateway/latest/files3/GettingStartedAccessFileShare.html on client pc is easily mounted. I remain with some doubts but i will go for C

i would go with A

D seems right

A. Use an AWS Lambda function to create an S3 presigned URL. This solution meets the requirements by providing a secure way for employees to access the data stored in the Amazon S3 bucket. Here's how it works: When an employee needs to access the data, they request access from the company's system. The company's system triggers an AWS Lambda function. The Lambda function generates a presigned URL with a limited validity period. The employee uses the presigned URL to access the data directly from the S3 bucket. Once the presigned URL expires, access to the data is no longer possible, enhancing security. This solution minimizes operational overhead because it leverages AWS Lambda, which is a fully managed service. There is no need to manage servers or infrastructure, and the solution provides a secure and temporary access mechanism for sharing data stored in Amazon S3.

I legitimately get worried every time we have a tie

Answer: *A* (Lambda + S3 pre-signed URL = automatic access) *You can use the pre-signed URL multiple times, up to the expiration date and time.* https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-presigned-url.html

Couldn't find any options that's good for the question. D is most operation efficient but not using AWS Secret Manager as managing credentials, should integrate with IAM or AD instead

Minimise op overhead: A: Lambdas and signed url will need to be managed and distributed to each employee every 7 days. So need database of employees and connect to lambda etc B: Too much work (imagine doing that for large number of employees!) D: Incomplete solution. SFTP endpoints need SFTP client and credential approach in Secrets Manager is not going to work